The Security Skeptic

Rod Rasmussen and I collaborated to publish an APWG Advisory that describes how phishers use subdomain registries to provide safe harbors for malicious and criminal activities. A subdomain registry is a naming service web hosting providers offer to customers. The provider allows customers to register a subdomain from one of its own registered domains as part of a hosting service package. Customers to choose a label (name) from the parent domain. The general structure for names of this kind is:

<customer_term>.<service_provider_domain_name>.<TLD>

For example, if the web hosting company has registered the domain freewebhosting.com, a customer could register securityskeptic.freewebhosting.com, Paypal.freewebhosting.com, BankofAmerica.freewebhosting.com...

But wait, would some of those names infringe on a brand? And couldn't someone use such a site to impersonate a brand and phish for accounts from such a site? They can indeed, and the practice is becoming widespread and difficult to contain.

Our advisory examines this unintended consequence of spinning one's own registry by largely well intentioned free web hosting providers, and also discusses measures individuals and organizations can consider if they opt to make these harbors less attractive and effective to phishers.

See Making Waves in the Phishers' Safest Harbors: Exposing the Dark Side of Subdomain Registries at APWG.COM.

Archived at http://www.securityskeptic.com/arc20081101.htm#BlogID712 by Dave Piscitello  

I still recall my first visit to a Baskin Robbins Ice Cream Parlor. Some of you no doubt recall your own awe and anticipation when presented with the opportunity to choose from 31 flavors of ice cream! Fifty years later, and I feel angst and trepidation when I confront the imposing numbers of phlavors of phishing.

Phishing is commonly associated with financial scams and identity theft. As I scanned nearly six months of mail posted to an antiphishing list, I noticed how broad the phishing reach has extended. Sifting through five months' worth of posts and several weeks worth of URLs listed at PhishTank, I found at least one phishing attack notification and multiple targets in the following categories:

• Financial scams/Identity theft. The list of banks attacked illustrates that financial institutions of all sizes and kinds are in play: Abbey, Alliance, Barclays, Chase, Citigroup, Colonial, commerce, Compass, Farmers State, Franklin, Halifax, HSBC, Home Valley, Leicester, Lloyds, NatWest,Ocean, State Farm, Synergy, UniCredit Banca di Roma, Wells Fargo,...

• Bank scams that use fake security certificates. In attacks against Wachovia and Bank of America, phishers used bogus digital certificates to convince visitors that the site is SSL-protected.

• Domain name authority impersonations. Phishers used anticipated correspondence (e.g., annual Whois accuracy reporting, account verification) from ICANN, eNom, Network Solutions, Netsons (reseller) to convince users to disclose login information for domain name account management.

• Government agency impersonations. Phishers impersonated US IRS eFile and Her Majesty's Revenue and Customs, and the FTC to obtain social security IDs and other personal information.

• Fee/Deposit scams. Phishers still lure victims with various state and national lotteries, and other 419/Nigerian scams, and now customize these with phony contests run by recognizable brands like Pepsi.

• Banner and pay per click ads. Phishers replicated landing pages and altered Google Adsense and AdWords on these pages to divert PPC revenue from Google customers to accounts they control directly or through mules.

• Software scams. Impersonating Microsoft, antivirus companies (AntiVir, McAfee), and open source developers (Joomla!), phishers lured victims into downloading malware instead of patches, virus definitions, and executable binaries.

• Political contribution scams: Obama and McCain

• eMerchants: The major eMerchants (eBay, PayPal, Amazon.com) remain prime targets for phishers, but smaller (Big 5 Sporting Goods, Shopping.com) are targets now as well.

• Online payment services: Phishers remain very interested in hijackingPayPal, MoneyBookers, and Cahoot accounts.

• VoIP Service hijacking: Vonage is primary target for enticing customers into downloading malware that purports to optimize your VoIP service. Account hijacking was also popular.

• Online Pharmaceuticals. I found hundreds of domains hosting sites that sell prescription meds without prescriptions. They are inherently illegal, so phishers don't need to impersonate a Pharmacy brand.

• Airline rewards programs: AAdvantage was phished using a $50 award for completing a survey that included numerous questions seeking personal and financial information.

• Social Networks. Phishers targeted Facebook, Hi5, Classmates.com, SinglesNet.com, Habbo, and HabboTeen accounts. I could have listed a dozen more if I could read Cyrillic, Korean, Chinese, and Japanese. These are great resources for hosting malware and to send spam.

• Sharing sites. account grabbersFlickr, Myfavoritetube.net, YouTube, Yahoo! Photos

• Blogs. Geocities and BlogSpot are reputed to be the hottest spots for hosting malware. The phish email notices I found corroborate this claim.

• email accounts: Gmail, MSN, and Yahoo! email accounts are valued by phishers because they can be used to spam or to collect stolen credentials they obtain from impersonation web sites.

• List, messenger, and contact managers. Phishers cast their nets to any account they can compromise, from the "remove my email address from your list" managers to sites such as Twitter,CheckMessenger3, MeetYourMessenger, Messenger FX that enhance or extend the reach of instant messaging.

If I were a phishing behavior analyst, I might profile a formidable phishing "unsub" as follows. The unsub attacks any financial, merchant or social networking venue that he believes will eventually lead to money or resources. He explores any and all means available to obtain personal information and account logins. The unsub is interested in any account. He relies on the inherent laziness of Internet users who use the same names and passwords for many if not all of the web accounts they create. He is patient, willing to sort and correlate information from multiple, successful attacks against an individual to land a whale, an individual with a fat online banking account and sloppy Internet habits, to gain administrative control over a portfolio of domain names that he can use to make money via subsequent phishing attacks, or to sell in the underground market to other unsubs.He is elusive, and criminally clever.

If you don't want to be the next unsub's victim, take measures to protect all your online accounts. Don't use short, simple passwords. Don't use the same username and password for every account you create on the web. Don't publish information on social networks, blogs, and wikis that provide clues the unsub can collectively use to identify you. Imagine the kind of information you would hesitate to share with a stranger and exercise the same caution in your virtual world as you would in the real world.

Archived at http://www.securityskeptic.com/arc20081101.htm#BlogID711 by Dave Piscitello  

My ICANN SSAC committee published an advisory in June describing how phishers were impersonating domain name registrars and resellers. A registrar-impersonating phisher tries to lure a registrar's customer to a bogus copy of the registrar's customer login page. If the bogus registration page is a convincing one, the customer may unwittingly disclose his account credentials. The phisher will then use these credentials to modify or assume ownership of the customer's domain names.

Phishers use an anticipated correspondence from registrars and resellers as the lure, such as a domain name order confirmation, DNS modification confirmations and WHOIS data accuracy reminders. In some cases, it appears that phishers will attempt to impersonate ICANN rather than registrars or resellers.

Here's a sample of a recent phishing attack where the phisher attempted to impersonate ICANN:

From: ICANN [mailto:icann at icannresolve dot com]
Sent: Tuesday, June 24, 2008 12:22 AM
To: [REDACTED]
Subject: ICANN - Domain Upgrade Notice

Dear Domain Account Holder,

You are being sent this notice from ICANN due to the fact that you
currently own an active domain name. ICANN is currently upgrading all
domains from their registry database.

The upgrade will introduce new control options for your domain and
easier access. The new upgrade is required by the registry. All domain
users are expected to submit their domain information manually at
http://www dot icannresolve dot com/email/link.php?M=27952&N=5&L=1&F=T with the
required information for ICANN to apply the required updates.

The upgrades will be applied to accounts on a first come, first serve
basis. You have until July 25, 2008 to submit the required information
to avoid service and domain interruption.

Thank you for your time.

Sincerely,

ICANNResolve
ICANN.org Resolutions Department

This turned out to be a rather pheeble phish attempt. Domain portfolio holders who recognize the name ICANN are most likely to detect that this message is bogus. Those domain name holders who don't recognize ICANN would have been more likely to fall prey to this attack if the phisher had impersonated an ICANN-Accredited Registrar. A recipient of this scam message who did visit the embedded link would have landed on the following forms page:

This page is not a domain account management page but a faked copy of the ICANN Paris Meeting registration page.

If only all phishers were this lame. Sadly, as lame as this attack seems, some recipients were duped into disclosing all the information requested at the hoax site.

Archived at http://www.securityskeptic.com/arc20080801.htm#BlogID702 by Dave Piscitello  

The FTC has released a report on a Roundtable discussion on Phishing Education held April 1^st 2008. Yes, at first I was suspicious that this might be a hoax...

The panelists confirmed what I and many of my antiphishing working group colleagues have said for some time: phishing is mostly about social engineering and little about technology. It's good news that the antiphishing community is rallying around this theme, and even better that they point to ISPs and others who use redirection and landing pages as "teachable moments" for phishing education as role models.

How does this work? Typically, once a domain or web site has been identified as a phishing site, ISPs, registrars, etc. take down that site. In many cases, the ISP, hosting company, or even a DNS operator wil have an opportunity to redirect a usr's request for that page to an alternate web page called a landing page. Instead of having this landing page say "URL not found", the education pages says, "The web page you attempted to visit was suspended because it was a phishing site. Lucky you, we've disabled that site. Since you were tricked into visiting here, please read the following information and learn how to avoid doing this again. You may not be lucky twice..." The APWG working on just such a redirect page. Some ISPs and organizations have developed their own (1). IMO, this is a much better service to the community than the self-serving practice of error resolution.

An important part of the education provided at such pages and in training videos and sessions elsewhere is to emphasize how adept phishers have become at personalizing phish emails. Phishers commonly gather information to make their email impersonation of a brand like eBay or a bank look very real. This is old news. They now gather information from browser histories, public databases (WHOIS), etc., to personalize the email. Increasingly, you, the average Internet user, will receive email from "familiar faces". Not just any bank, but your bank. Not just any retailer, but retailers whom you've opted-in to routinely receive emails with sales and special offers. Phishers also target individuals who are likely to have considerable personal wealth: called spear-phishing, the attacker will target all the officers and board members of a corporation. These are the "whales" in the sea of targets they phish. Owners and officers of mall and medium businesses are just as vulnerable as large corporations, perhaps more so since they not have staff, technology and expertise in-house to educate and protect them. Discussing ways to make users aware of these and other new munitions in the phishers' arsenals is a very useful exercise and the FTC should continue to foster this sort of dialogue.

The FTC report itself is relatively brief, essentially a meeting report. But the messages highlighted in the summary are worth reading. Look for the report at http://www.ftc.gov/reports/index.shtm.

Archived at http://www.securityskeptic.com/arc20080701.htm#BlogID698 by Dave Piscitello  

The APWG has published its Global Phishing Survey: Domain Name Use and Trends in 2007. This report examines many phishing trends. The most interesting may well be the distribution of domains used by phishers according to generic and country code top level domain and the most worrisome may be the increased use of subdomain providers for phishing.

One reason why the APWG phishing survey is interesting is that it arrives at very different conclusions from McAfee's second annual "Map the Malweb" study. McAffee's lists (in order) Hong Kong, the People's Republic of China, Phillipines, Romania and Russia as the "most dangerous domains to surf and search on the web" and (in order) Finland, Japan, Norway, Slovenia, and Colombia as the safest.

Sidebar: I have a hard time wrapping my head around any phrase that includes "Colombia" and "safest" in the context of criminal activites, don't you? My immediate reaction was to Google "Colombia safest". Not surprisingly, I learned that Colombia's murder rate in 2003-2004 was nine times that of the U.S. and that Colombia is the ransom kidnapping capital of the world. Factor in drug trafficking and it's pretty clear few miscreants in that country have the time or patience to do e-crimes.

APWG's study uses an interesting metric - Phishing Domains per 10,000 - to assess whether one TLD has a higher or lower incidence of phishing relative to other TLDs. Applying this metric, APWG's top five are Hong Kong, Thailand, Liechtenstein, Romania and Chile. Among the safest TLDs you'll find European Union, United Kingdom, Germany, Argentina and Sweden.

The most curious result? McAfee ranks the INFO as the most risky generic TLD whereas APWG's metric ranks them as the safest.

Different metrics, data, measurement periods appear to contribute to the disparities in results. However, APWG casts a narrower net, including only domains that were proven to be associated with a phishing incident. McAfee's study web sites that contained adware, spyware, viruses, spam, excessive pop-ups, browser exploits or links to other risky sites in its "dangerous domains". Neither offer a glowing report, but no one I know would believe one if it were published :-O

Archived at http://www.securityskeptic.com/arc20080601.htm#BlogID694 by Dave Piscitello  

The Privacy Toolbox offers a list of 100 resources and guides to help users protect consumer and business identities and sensitive information. Toolbox is something of a misnomer. This is really a resources page - a good one, mind you - with links to guides that discuss all matters related to privacy, including how to protect your US Social Security number, how to freeze your credit rating should you suspect your identity has been stolen, how to remain anonymous when surfing, and how to complete obligatory web forms without disclosing your personal information (see 5 Disposable Web Accounts to Keep Your Identity Safe, brilliant!). Toolbox lists privacy related blogs, applications that cater to anonymity, confidentiality, and the protection of sensitive, personal information and sites where you can opt out of unsolicited credit card offers (visit OptOutPrescreen.com). Find the Privacy Toolbox here.

Archived at http://www.securityskeptic.com/arc20080301.htm#BlogID679 by Dave Piscitello  

Suppose you attempt to to purchase a product with a credit card on a site you've never visited before. You find the product you want, add it to your cart, and proceed to checkout.

You connect with HTTPS:// for that warm and comfy feeling everyone gets when they begin a *secure transaction*,-) But - oh my! - your browser warns you that some aspect of the certificate is suspicious; for example, the name of the server does not match the name in the server's certificate. This sometimes occurs when a company issues certificates from its own certificate authority, and that authority is not included in your browser's built-in list of trusted authority store. A similar warning may pop up if an e-merchant's certificate lifetime has expired. At this point, you can conclude that the merchant's web administration is possibly lax but the merchant may be reputable.

You are now faced with several choices. Abandon the purchase or restore your shaken confidence in this merchant by inspecting the certificate. If you choose the latter, and before you click on the popup that says, "yes, accept this certificate, get out of my face", you might want to try this.

Complete the checkout form, but fill in some of the personal and credit card fields with incorrect data; in particular, provide an incorrect credit card number. If the merchant accepts the purchase, you probably shouldn't trust the site and you ought to report the site to an antiphishing group. If the site tells you that the credit card (and personal) information is incorrect, try again, you can feel better about proceeding with the transaction.

This check is no guarantee against a very sophisticated deception. If you are uncertain, and especially if the buying opportunity is too good to resist, be suspicious and abandon the transaction.

Archived at http://www.securityskeptic.com/arc20080101.htm#BlogID666 by Dave Piscitello  

A recent post to an anti-phishing mailing list identified this clever and evil attack against domain name registrants. The attack exploits domain name renewal notice emails that registrars send to registrants. The attack uses similar social engineering and deception techniques as those used in identity theft and other phishing attacks. From the post...

"Phishing attacks against registrars allow for take-over of legitimate domain management accounts for use in future ROCK attacks - either through control of existing legitimate domains or via registration of new ROCK domains on an account that the registrar "trusts" since it's been used for valid purposes over a long period of time. With a domain take-over, you can reconfigure DNS to still work for the "real" site, while wild-carding all other host names - much the same way the ROCK group already operates, so take-down will be slowed considerably since the domain itself can't be deleted."

If I interpret this post correctly, the attacker (in this case, the notorious ROCK phishing group) proceeds as follows:

1. Use the WHOIS service to obtain the registrant's email contact information *and* the registrar for a domain name(s).

2. Set up a bogus registrar phishing site

3. Compose a renewal email that appears to be from the registrar and send this to the email contacts for the domain name(s).

4. Wait for registrants to fall prey to the deception.

5. When the registrant visits the bogus registrar web site, collect the registrant's account credentials via a bogus login page.

6. Use the collected account credentials to alter the registration record, i.e., to hijack the domain name or name service.

7. Use the domain name for illegal activities.

Once the attacker has control of the domain, he can attempt all sorts of illegal activities. The attacker can launch an attack against the domain itself (he controls the name service!); as colleague Danny McPherson of Arbor Networks points out, he can proxy or create a deception site at that domain name, insert an iframe, incorporate a BHO or other malware download to infect a visitor's PC. Or he can use the hijacked domains to facilitate fast flux attacks.

To conceal the illegal activities, the attacker will add records to the domain's legitimate zone file rather than replace the zone entirely to improve the odds that the hijacking may not be discovered quickly. This form of domain hijacking allows fast flux attackers to conceal the location of their illegal web sites even longer than before, and complicates takedown procedures that first responders and law enforcement might initiate because the domain name is not only used to abet phishing but to support the real business needs of the registrant that fell victim to the phishing attack and is thus not easily deleted from the TLD zone file.

It turns out that several of my domains are up for renewal. You can be certain that I paid close attention to each renewal email from my registrar and followed the widely recommended "safe practices" when opening and reading email. Read my Anti-Phishing page f and visit the Anti-Phishing Working Group or more information

Archived at http://www.securityskeptic.com/arc20071001.htm#BlogID655 by Dave Piscitello  

I read James Gaskin's column, The Fred Security System: Improve security for zero dollars with some interest and of course skepticism:-) Jim proposes that every company have a "Fred", a reasonably smart and suitably trained individual to whom email attachments can be forwarded for inspection. Fred uses his antivirus, anti-phishing and anti-spyware savvy and his amply fortified workstation to ferret out malicious email payloads and attachments that possibly adds a level of malware protection without increasing your budget.

My experience with Freds is that they don't always pan out the way Jim suggests. I've met lots of Freds. I call them Bob. But for now, let's stick with Fred.

I'm OK with educating users on the dangers of malware. I'm OK with giving users who show some savvy a reasonable set of malware detection tools. And I think that in very small businesses, having a Fred is a reasonable idea as long as the small business can escalate the problem beyond Fred to a competent, affordable, and trustworthy 3^rd party. I have several reservations, based on experiences with Freds in businesses small, medium, and large.

Fred is not 24x7 available. Fred's inspection capabilities and breadth of knowledge regarding malware are more limited than any automated system such as an email security proxy or Unified Threat Management appliance. Most importantly, Fred can't keep current with the insane pace and variation of malware attacks. Unless Fred is seriously over-qualified for his role, I speculate that Fred entirely ill-prepared to deal with never-before-seen or 0-day attacks (I hate this term, BTW).

My experience is that Fred is not zero-cost. Fred is being paid, ostensibly to satisfy a role other than malware ferret. Hours Fred devotes to ferreting out malware don't appear in the security budget but affect productivity elsewhere. This is security through budget obscurity. It's also my experience that Fred doesn't scale. One Fred can perhaps deal with malware in an office of 10-25, but how many Freds will you need for an office of 50, 100, 1000?

I suspect that if you study costs carefully, you'll find that even a single Fred costs more than the gateway antispam inspection software that even SMB/SOHO firewalls and unified threat management (UTM) appliances cost today. I'll venture that you could buy a Watchguard, SonicWall or Netscreen UTM with annual subscription for virus/spam/IPS definitions probably for than the cost of buying Fred lunch for 6-8 months (possibly depends on how much Fred eats).

Will a malware gateway/UTM improve security without increasing your budget? Of course not, nor will it break your budget.

One last life-lesson regarding Freds. All my SMB consulting is pro bono or deeply discounted as favors to friends, schools, and parishes. In all these networks, I find Freds. The difficulties I've experienced when dealing with nearly all Freds (or cleaning up after them) is that they cannot resist opportunities to play sys admin. They read about a registry setting and can't wait to change it on everyone's system. They read about secure browser settings, run to every novice's desktop and rejoice in having made the network a safer place. They wreck havoc on innocents who find that they can't use their browser as they've been taught, who encounter errors they don't understand, who learn to lock their offices to keep Fred at bay, and who roll their eyes when the consultant comes in to remedy wounds Fred has inflicted.

User Freds as you would a topical cream for a rash or insect bite: apply in small doses, monitor carefully, and never conclude it is an effective substitute for a physician's knowledge and expertise. If you want a Fred rather than a UTM appliance, however, you may as well train Fred to be a sys admin because that's what he'll very likely try to be.

Archived at http://www.securityskeptic.com/arc20070901.htm#BlogID647 by Dave Piscitello  

Colleague and friend Marcus Ranum wrote a really interesting article and review of executable control software for Windows XP. The article, Execution Control: Death to Antivirus, documents Marcus' long struggle to deal with malware on Windows XP. In typical Ranum fashion, Marcus delivers one scathing criticism and condemnation of vested self interest after another as he explains why he punted Norton AV from his security software inventory, how he began hunting for a "default deny" approach to managing executables on his personal computers, how the honeymoons with two commercial products ended in divorce, and how he finally found a freeware soul mate in the form of ExeLockdown from Horizon Data Sys, Inc..

Unfortunately, while Marcus has found a security soul mate, the rest of us won't be so fortunate. I visited Horizon DataSys to download a copy of the freeware and it's no longer available. I used the real time chat to ask a company rep why it was no longer available and he explained that "we are creating a better version that will work in enterprise environments as well as Vista. The old version was offered as freeware and was more of a support issue without any revenue."

While I can't blame a company for wanting to earn a profit and focus support on for fee products, it's hard to understand why they can't leave the freeware available for users sophisticated enough to use it without support. I also can't fathom how any company that has the good fortune to get as respected an authority as Marcus Ranum to write something positive about its product would "leave the money on the table" by taking the product out of circulation. Isn't it possible that the cachet a company earns from word of mouth like, "oh, yeah, that's the company that has that neat execution control program Marcus wrote about" is worth a token support effort for a freeware program? Some day, someone will explain marketing to me.

Archived at http://www.securityskeptic.com/arc20070701.htm#BlogID629 by Dave Piscitello  

While updating my antispyware resources pages, I discovered that the hyperlinks to articles I'd written for SecurityPipeline were redirected to DarkReading.com. I contacted the editors, who explained that Security Pipeline's content was not carried over to the new

publishing platform when Dark Reading was created. Dark Reading's editor, Tim Wilson, did grant me permission to publish these articles at Core Competence's site, and you can now find the following articles here at the Security Skeptic:

• When It Comes To Anti-Spyware Tools, Accuracy Is Key

• Legislation Won't Stop the Spyware Juggernaut

• How to Keep Spyware Off Your Enterprise Network

• Blocking Spyware at the Network Gateway

I also took the opportunity to update the Spyware resources pages and have added several recent articles, reviews and recommendations for antispyware freeware.

Archived at http://www.securityskeptic.com/arc20070701.htm#BlogID626 by Dave Piscitello  

One of the most commonly email harvesting methods used by spammers is spambotting, where automated software is used to search web sites and harvest email addresses. For a while, many folks tried to thwart harvesting by what I'll call @ avoidance, i.e., including an email address in a format such as user [at] domain. Spambots are now sophisticated enough to search for this and other permutations of email addresses.

If you must post your email address on web pages, a better method is to add CAPTCHA-based email protection. A CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) program creates a test or challenge a human being can correctly answer but that a spambot cannot. The most commonly used CAPTCHA technique is one where a user must type words that have been displayed, often in a distorted form. Another for, ESP-PIX, presents the user with a set of images and the user must identify an object that is common to the displayed set.

Some wonderful folks at Carnegie Mellon University provide a simple means to add CAPTCHA to your web site. Visit The reCAPTCHA Project to generate HTML to CAPTCHA-proect your email address. Enter your email address in the reCAPTCHA Mailhide form, cut-paste-customize the HTML, and include wherever you publish your email address.

For example, my blog pages no longer include mailto: HTML statements. Instead, I've included a hyperlink in my left navigation bar. Click on that link and you'll be challenged in this manner:

Answer correctly and you'll see

My email address is pretty much out in the wild, but I'm adding it on my site to illustrate a point and hopefully help others mitigate spam.

Archived at http://www.securityskeptic.com/arc20070601.htm#BlogID621 by Dave Piscitello  

In BlogID608 I mentioned IT Security's 103 Free Security Applications, and promised to test and review some of these. As promised...

Spyware Terminator is a very nice and complete antimalware package. At first, I was hesitant to even install this package because I recalled a similarly named scamware product, Spyware X-Terminator. After poking around other antispyware and malware info-sites, I sorted through the conflicting opinions and misinformation before concluding these were indeed different packages.

Spyware Terminator provides real-time protection, spyware removal and quarantine. Spyware Terminator provides two levels of scanning: full and quick, and the latter lived up to its name by completing a scan in under 1 minute on three different Windows machines. Spyware Terminator provides a rudimentary host intrusion prevention system by building a list of installed, spyware-free programs and only allowing these and other applications identified by you or the developers as known-to-be-safe applications to execute.

The installer provides an integrated version of the popular open source-based WinClamAV antivirus software. WinClamAV is based on the same antivirus engine as the version I'm using on my MacBook and I'm just as comfortable installing and using it on a Windows machine. On my test systems, I ran Spyware Terminator without interference or conflict with AVG 7.5 Professional antivirus (I used this instead of WinClamAV on one PC) and other antispyware software (SpywareGuard, Spybot Search and Destroy). Automatic updates, beginner/advanced/expert configurations and a file analysis utility (to test if a file is suspect-ware) make this a useful antispyware package. A commercial version is available for organizations who want to centrally administer antispyware measures on all machines connected to a network.

Archived at http://www.securityskeptic.com/arc20070501.htm#BlogID612 by Dave Piscitello  

Everyone knows about and receives spam. Many folks also receive spam on instant messaging (SPIM), IP Telephony (SPIT), and even short messaging services (SPASMS). Now, even the chat channels of popular online games like World of Warcraft are attracting spammers.

So from the original coiner of the acronym SPASMS, I give you SPOG - spam on online games.

I play WoW with my colleagues and my son. It's a nice break from the real world; in WoW, I encounter a much higher percentage of pleasant and generous characters than the real world. I get to whack the heck out of something with impunity. I learn crafts and trades. And until recently, I had a high signal-to-noise ratio on the chat channels. Unsolicited advertising is now invading my leisure world! This is NGAT (not good at all) and I am definitely not ROFL (rolling on the floor laughing).

One way to measure whether something is acknowledged as A Problem is to search to see if someone's invented A Solution. Sure enough, if you Google "World Warcraft spam" you'll find antispam plugins like Spam-Guard Plus, which "monitors say, yell, tell and numbered chat channels for spam and automatically ignores spammers for the rest of the session". (Source squelch - I love it)

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID534 by Dave Piscitello  

Colleague Anton Chuvakin posted a solid and up to date article on spyware on O'Reilly's WindowsDevCenter website. In the article, Anton offers a good taxonomy of spyware and an equally good explanation of countermeasures and recovery procedures. Anton reiterates one piece of advice I routinely see in antispyware articles:

"As far as responding to a spyware infection, the only guaranteed 100 percent effective measure a user can take is to rebuild a system. Only this will guarantee removal of all traces of malicious software from a system."

Home users are most accustomed to rebuilding a system from scratch from the OEM recovery disks. This method has the unfortunate consequence of providing you with a clean, default installation. Users must then reinstall applications and reconfigure security settings. In some cases, users may lose configuration data they haven't stored elsewhere, including Internet access settings and (woefully) all those passwords they may have stored using password management software or (yikes!) Notepad.

I recommend that users, home and professional, invest in disk imaging software. When you purchase a new computer, and before you connect it to the Internet and browse the web, install all the software you most commonly use - Office, security software, etc. Configure the security settings you will rely upon as your security baseline. Now make a complete image of your C:\ drive using the imaging software. If you ever have to recover your Windows OS following a spyware or virus infection, reinstall the "recovery image* you created.

In BlogID #298, "Beyond my documents", I recommend disk partitioning. Follow the recommendations in this item, make certain that you back up configuration data and your recovery image on a partition other than C:\, and you'll be able to recover your PC to a more complete and secure state from a spyware infestation. You may have to reinstall some applications you installed after you created your recovery image, but in my experience, you will reduce your effort from several hours to 30-40 minutes. Remember: if you want a clean recovery image, you can't surf the web, read email, transfer files, IM, or use any application that my store or upload cookies, files, scripts or executables on your computer.

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID507 by Dave Piscitello  

Despite the real and present dangers Internet Identity Thefts, Phishing and email scam attacks pose, we cannot afford to overlook measures we can take to protect our identities and credit from attacks in the real (physical) world.

Financial institutions, law enforcement agencies and attorneys recommend a number of ways you can protect against credit card theft and misuse, check fraud, and unintentional disclosure of personal information that can be used by impersonators, extortionists and other malicious or malevolent persons. A short list of some of these follows...

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID501 by Dave Piscitello  

I received several comments shortly after boasting that I had successfully blocked DoubleClick. There are many ways to block advertisers. I have used cookie blocking, manipulating domain name resolution, and configuring a "blocked site" policy in a firewall.

Blocking Ad cookies is simple and can be done by configuring a browser to block 3^rd party cookies, which are often written to your computer by ad tracking companies. Read how to do this in IE 6.0 here. The same feature is available in Firefox via the Cookies tab of the Privacy Option under Tools. Many antispyware software also provide cookie blocking. (An interesting feature of Firefox allows remove a cookie and block a site from ever setting it again).

An advertiser must open connections to its ad server to collect the information it stores in the cookie it has placed on your computer. These connection attempts are programmed into web pages you visit (the site hosting pages with such hidden connections pays the advertiser for its tracking and targeted marketing services, and is called an affiliate). Fortunately, an advertiser must use the DNS to resolve the domain name of its ad server to an IP address. By modifying your PC's hosts file so that ad server names resolve to localhost (127.0.0.1), you redirect connection requests to your own PC. These will fail quickly. The rest of the page you visit will load. You may see an error similar to the one I captured in BlogID #487, but this depends on how the page is programmed. Either way, DoubleClick can't collect information from you. You can point domain names of all the ad servers you wish to block to localhost, including DoubleClick, AdTech, Honesty, Profero, ValueClick, and hundreds of others. Find lists of ad server lists here. If you run Active Directory on your network and want to block ad servers uniformly across all client PCs, create a group policy to replace the user host file at logon. This trick may also thwart hijacking spyware that alters the user host file.

You can also block ad sites by including the domain names or IP addresses of the ad servers in a blocked site list at your firewall. Your firewall may drop attempts to connect to the blocked site, or it may return an "unreachable" error. Both will cause an 404/http error (page not found). Firewalls and proxies that block sites can also be configured with custom 404 errors, so an admin can advise users that ad blocking is in effect.

But admins shouldn't expect users to go out of their way to thank them.

Archived at http://www.securityskeptic.com/arc20060101.htm#BlogID488 by Dave Piscitello  

Chris Powell has written an eBook that provides a wealth of information and good advice to protect against phishing attacks. The book is written with non-technical Internet users in mind. Written in "plain speak", Online Predators Revealed makes powerful use of interesting analogies and provides plenty of simple-to-follow advice to help even school age children avoid phishing and web spoofing attacks.

Archived at http://www.securityskeptic.com/arc20051201.htm#BlogID484 by Dave Piscitello  

Spyware was a hot topic at the NWW Security Tour 2005 Q & A sessions. One attendee asked for opinions on running multiple spyware solutions on the desktop. It's pretty common for anti-spyware specialists to recommend that you run more than one antispyware solution in posts to antispyware forums like SpywareInfo.com. The most common recommendation is to run both a reputable commercial solution (Aluria, WebRoot, SunBelt CA eTrust...) alongside a freeware product (typically Spybot Search & Destroy), and complement this with a reputable antivirus solution.

One oft-cited upside of running multiple solutions is to increase breadth of detection: one solution may detect spyware that the other overlooks (or does not yet have a definition to distribute). Another upside is that one solution may perform a more complete removal of a spyware package (i.e., running a 2^nd removal tool immediately following the first may result in the detection of a Registry setting that should have been removed for completeness by the 1^st tool but had not). The downside is that the products somehow interfere with each other, or even the antivirus solution.

The humorous side, as I mentioned in this SecurityPipeline article, is that "some products point accusing fingers at each other".

Given the number and combinations of antimalware software you could install, I can't absolutely guarantee you'll have no adverse effects by installing more than one antispyware solution. I can only tell you that I've installed combinations of commercial antispyware software alongside Spybot S & D, SpywareBlaster and SpywareGuard on every PC and laptop in my office and have not experienced any ill effects.

Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID467 by Dave Piscitello  

Christopher T. Beers has performed a fairly comprehensive review of seven antispyware products for SecurityPipeline.com. In Review: Spyware Detectors, Beers reviews products from CA eTrust, F-Secure, McAfee, Trend Micro, Lavasoft, Sunbelt, and Webroot. The analysis is very thorough. A really clever and useful feature of this review is that it lets the reader adjust the product feature weighing factors. You fire up a Java applet, adjust weight of factors you are most interested in, and the Report Card recalculates the product scores. I've always complained that weighing factors selected in comparative tests weren't useful, and now the tuner's in my hands - cool!

Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID466 by Dave Piscitello  

Once some folks learn to recognize phishing email, they ruminate over the fundamental evil inherent in a phishing attack, and become tempted to protest or retaliate in some way. Resist temptation! Here's why...

Always bear in mind that phishers are criminals. Most sensible people would resist the temptation to stroll into a hideout and ask all the burglars present to stop surveilling your home, because they would justly fear (physical) retaliation. Visiting a phishing web site is essentially the same act. You are putting yourself at the mercy of whatever measures the phisher chooses to employ at his web site to protect himself, or to do more evil. Phishing web sites are not safe neighborhoods. Consider:

• While you are satisfying your indignation completing a web form with "leave me alone you evil SOB" in all the forms fields, the web site may be uploading a keylogger to your PC.
• Should you find an "unsubscribe" mailto or link at the phishing web site and add your email address, you are simply confirming to the phisher that your email is actively in use and inviting more spam and phishing email.

Leave protests to automated services like BlueSecurity (bluesecurity.com), report abuse to spam to antispam services like spamcop (spamcop.net), to antispam vendors (Barracuda, Postini, et. al.), or to the FTC (forward spam to UCE at FTC.GOV).

Archived at http://www.securityskeptic.com/arc20050901.htm#BlogID459 by Dave Piscitello  

Time for another question from the Network World Security Tour. I promise this series won't devolve into a text version of StrongBad eMail from HomeStarRunner.com...

How can spyware websites continue to operate once they are discovered?

Once spyware infests a computer, its mission is to spy upon the PC user, or to redirect or force the user to visit an affiliate web site. A second and equally important goal for spyware is to evade detection, so that it can continue its primary mission. Several observations can be made from this behavior.

• Spyware is stealthware. It's hard for an average user to know which web site installed spyware on his PC; in fact, most spyware-affiliated websites are discovered by antispyware software research teams and antispyware activists who trawl the net in search of offenders.
• Legal action is not "rapid response. Once spyware-affiliated web sites are discovered, the first response by antispyware software vendors and activists is commonly one of technology and countermeasure (e.g., add the site to a blacklist, analyze the spyware installer sample to obtain a signature and identify removal procedures, etc.). This is in my opinion the right response because it can have a material and immediate affect. Moreover, reporting and "hunting down" spyware-affiliated sites is a time-consuming process of tracking down the operators, determining which if any laws have been broken, and obtaining the cooperation of judicial and law enforcement systems to terminate operations or take the operators into custody is formidable for professionals, and more than the average user can tackle with any hope of success.
• The numbers work against us.Even if (enforceable) international laws existed, the number of spyware-affiliated web sites is estimated in the hundreds of thousands, making the task of enforcing the laws practically impossible.

As you see, it's not a simple matter of "weak international laws" as was suggested by the tour attendee who submitted this question. Spyware is yet another example of a virtual arms race, and for the moment, we're losing the battle.

Archived at http://www.securityskeptic.com/arc20050901.htm#BlogID458 by Dave Piscitello  

Blue Security's approach to combatting spam has attracted its fair share of criticism. Blue combines a proactive Do Not Mail Registry with an automated protest campaign against spammers. Most of the criticism is off target. In several articles, it's clear the critics didn't understand the approach; in other editorials, the critic is exercising his Internet-given privilege to flame.

Blue's protest, performed on behalf of its Do Not Mail subscribers, is a tightly controlled email and forms submission response. It's not a DOS-like retaliatory strike at merchant email accounts, web submissions pages, and access circuits as described by several critics. If any of the critics had taken the time to open-mindedly discuss Blue's methodology with their CEO Eran Reshef, they'd have learned that the response is proportionately bounded: one spam, one complaint. Disclosure: I know Eran well. If you spend any meaningful time talking with him, you'd have to wonder how anyone could conclude that this guy would design a service to "go postal" on spammers.

Blue does what individuals can do themselves: find a party responsible for the spam and complain. Blue does this more scientifically, with more coordination, and to a greater scale than individuals can. Blue wants to change the spam value proposition and ROI, which is ultimately the only way we will ever effectively defeat spam. It's reasonable, proportionate, and ethical.

Marcus Ranum recently wrote an excellent editorial debunking the claims that Blue's approach is unethical. You can read it at http://www.ranum.com/security/computer_security/editorials/bluesecurity/. In the editorial, Marcus gives a thoughtful and thorough analysis of Blue's process. Frankly, it should be required reading for folks who have been publicly critical of Blue Security. Marcus also considers criticisms and concerns that have been brought to the public's attention and explains why they are inaccurate, difficult to corroborate, or just plain silly.

The editorial (thankfully) has a good measure of Marcus' wit and keen edge. You really ought to find time to visit the page and read it.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID446 by Dave Piscitello  

My article on assessing antispyware software is available at SecurityPipeline.com. This article debunks the myth that users and administrators can draw useful conclusions regarding the quality of antispyware products based on numbers of spyware detected, and offers a better basis for comparison. The full article can be found here.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID440 by Dave Piscitello  

Good enterprise IT organizations appreciate the importance of orderly processes and centralized control. These characteristics are evident in the software, technology, and workflows they employ to manage complex networks. As they deploy currently available technology to combat spyware, enterprise IT departments have not lost sight of the requirements that will help integrate antispyware measures into standard desktop administration. More...

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID439 by Dave Piscitello  

Roger Seeholzer (Adjunct Professor, University of Maryland University College Europe) contacted me some time ago, asking permission to use graphics from Phishing columns I'd written for Loop as resources for a presentation at CSI 2005. I agreed, and he's graciously returned the favor by sending me a copy of his presentation. You can find it here [pdf], and you can find my columns at http://www.securityskeptic.com/phishing.htm

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID436 by Dave Piscitello  

I've written a white paper for Aluria Software that explains the threats and issues spyware poses to businesses small and large. The white paper also identifies ten requirements that businesses should consider when evaluating business-suitable antispyware solutions. The paper concludes with an assessment of how Aluria Software's Paladin product meets the requirements I identify.

You can download the white paper in pdf format from Aluria Software.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID424 by Dave Piscitello  

An on-demand version of my presentation on business-grade anti-spyware is available from TecWeb. During this webcast, I offer my list of top ten requirements for businesses seeking to deploy antispyware measures at the desktop. Find the registration page at TechWeb Today.

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID423 by Dave Piscitello  

Channel Viewpoint has posted a re-hash of an article I wrote earlier this year for Watchguard Technologies. Profiting from IE's 'problems' is written to help organizations where business practices impede a switch from Microsoft's built-in browser to an alternative. The article explains how organizations can reduce the spyware threat through central IE policy definition and distribution via Active Directory, and more.

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID418 by Dave Piscitello  

Preparing for a security session I moderated at Interop in Las Vegas, I began thinking about the subject of unsolicited messaging. The session, entitled "Is the end in sight, or will SPAM, SPIT and SPIM spin entirely out of control?", seemed to overlook one category of unsolicited messaging that has recently become a burden to cell phone users - spamming short messaging systems.

Colleague Caleb Sima at SPI Dynamics has done several presentations explaining how it's possible to DOS certain cell phones using SMS. In some cases, the subscriber is billed for thousands of unsolicited messages. In others, the phones freeze. And of course there are messages that you simply don't want to receive (The Do Not Call List notwithstanding...).

I realized that I had not seen an unique acronym applied to SMS spam, and one quickly came to mind: SPASMS - Spam Against Short Messaging Systems!

You saw it first here.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID397 by Dave Piscitello  

Layered defenses have become standard procedure for blocking the current generation of security threats. To block against viruses, spam and intruders, organizations deploy countermeasures at the network gateway and again in individual client systems.

Until now, layered defense against spyware was difficult or impossible. There are plenty of desktop anti-spyware products, but almost none that are server-based. But vendors are moving to fill that gap.

Read the rest of this article at SecurityPipeline.com

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID393 by Dave Piscitello  

Antispyware legislation is doomed to repeat history.

Advertising (adware) lobbyists are succeeding in distracting lawmakers into a debate over whether different kinds of software are - or are not - spyware. Congress has already exempted cookies and web bugs as "not spyware". The banana peel is now accurately positioned to help both Houses slide down the slippery slope every consumer and legitimate business hoped they'd avoid.

Nothing good can come from examining each advertising-enabling technology to determine whether it is or is not spyware. Every software, like every knife in the cutlery drawer, and every gun in the pickup rack (remember where I live) can be used for good or evil.

The web bug and adware exclusions really irritate me. Would these same congressmen allow anyone to access telephone usage records? Even in the post-Patriot Act era and from a Republican congress, this seems unlikely. How different is telephone wiretapping from granting anyone an implicit license to add an "IM-bug" to track every instant message, and why does a law enforcement agent require a court order for the former, but (presumably) not the latter?

Let's pause a minute and re-think whether tracking technology is the problem, or whether the problem is really deception.

With this Congress, perhaps we should use the "guns don't commit murders, people do" approach. Software doesn't commit espionage, ...

Antispyware legislation should be easy to write.

• If it is installed without notice, consent, or the ability to opt-out, it's spyware.

• If the intent is to copy and transmit information or monitor behavior without your knowledge or consent, it's spyware.

• If the notice is not crystal clear in describing intent and copious in identifying what information is to be copied, transmitted, and monitored, it's spyware.

We have precious little control over personal information left.

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID389 by Dave Piscitello  

I received an email from Ken Lloyd of Spywaredata.com asking if I would provide a reciprocal link at my spyware page for his site. I visited the site and found an impressive and well-organized spyware database. Spywaredata has searchable categories for Processes

Linked Service Providers, BHOs, Toolbars, ActiveX, StartUp files and Search Engines. For each spyware, the site identifies the directory path, classID, spyware company, variants, and the number of infestations reported. I asked Ken about these statistics, and he replied as follows:

SSI was created over a year ago to track and subsequently identify the latest Spyware threats actually affecting the Internet. If you are familiar with the new Microsoft's "SpyNet" project that was released a few months ago, SSI performs analogously and has been actively identifying spyware since January 2004. Here is how it works:

User's download our free SSI software and simply double click the program icon. SSI immediately scans your computer for any active spyware then that information is presented to you. At that time you can choose to have this information analyzed against our real-time database. The results are promptly presented to our users with removal instructions. In addition, if we find unknown spyware we can then ask the user if they would like to upload these files for our technicians to take a closer look.

SSI is designed to be extremely easy for our users to understand and use. And with that we have processed over 210,000 scans.

I ran Ken's SSI on three PCs here, all protected by different antispyware software. SSI ran, uploaded the results, launched Internet Explorer (Firefox support is in beta), and presented a results page. SSI detected several unknown file types (e.g., Shavlik's patch management software, HFnetchkPro4, some XP SP2 dlls), and found a copies of ICONSPY and ViewPointMedia. From this page, I visited the "remediation" page, where I found instructions on how to remove the pest. SSI appears to be yet another useful tool to add to the never quite complete antispyware toolkit.

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID386 by Dave Piscitello  

Recently, a fellow security professional asked if he could use some of my anti-phishing material in a presentation he was preparing for an upcoming CSI conference. Revisiting the presentation I gave at IPComm 2004, I recalled (and related) a dialog I had with an attendee about an interesting behavior modification program .

The attendee was an IT admin. With the approval of management, IT created a phishing email and hosted its own bogus web site based on a real attack, then emailed every employee in the company. Employees who responded to the link and completed the form received a subsequent email from IT advising them that they had fallen victim to a phishing attack, and they were now obligated complete "remedial therapy", in the form of a 30 minute anti-phishing seminar after close of business (mandatory attendance).

Two weeks later, IT modified and the re-attempted the phishing attack. The numbers of respondents were smaller. Again, employees who fell victim were required to attend a seminar.

IT now repeats the process routinely, and the number of phishing victims is now dramatically reduced.

I wish I could acknowledge the attendee since this is a simple but creative phishing countermeasure, and someone deserves kudos for dreaming it up. I'm just paying it forward...

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID383 by Dave Piscitello  

Poor PayPal seems to be the most popular lure among phishers these days.

I receive phishing emails almost daily warning me that my PayPal account is under review for security reasons. The most recent spate of these uses HTML in a particularly insidious manner to deceive even those recipients who are savvy enough to be wary of embedded hyperlinks.

Many antiphishing resources, including my own, warn people to make use of the browser status bar to assure that they are visiting the same URL they "see" in an email, by hovering the mouse over the hyperlink in the message, which will show the "real" URL they will visit should they click on the link.

The new phishing method uses HTML form to prevent recipients from availing themselves of this antiphishing method. The raw HTML for this deception is reproduced below:

<FORM target="_blank"  ACTION=http://rds.yahoo.com/*http://www.google.com/url  METHOD=get>
<INPUT TYPE=HIDDEN NAME=q VALUE=http://rds.yahoo.com/*http://www.securityskeptic.com/%6D%61%6E%75%61%6C/webscr/>
<input type=submit style="color:#000080; border:solid 0px; background:#white;" value=https://www.paypal.com/cgi-bin/webscr?cmd=_update>
</form>

I've substituted my own domain name, hhi.corecom.com, where the phisher typically puts his deception web site. What recipients see when this is used follows.

Try hovering over the hyperlink. Nothing happens. Now click it, and you'll reach my 404 Error page - of course, in a phishing email page, you'd end up at a deception web page.

Increasingly, too, PayPal phishers are including many legitimate links to real hyperlinks at PayPal, e.g.,

To receive email notifications in plain text instead of HTML,
update your preferences <a href="https://www.paypal.com/us/PREFS-NOTI" target="_blank" > here</a>

This is all part of selling the deception.

HTML is a really wonderful and powerful language, but it is so easily manipulated for malicious purposes that you should really consider whether you need your email to be "pretty".

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID382 by Dave Piscitello  

Spyware has reached such epidemic proportions that legislators in the US Congress as well as state legislatures are responding to public outrage by drafting bills to prohibit its distribution, stem abusive practices and protect Internet user privacy. Unfortunately, pending and recently enacted anti-spyware laws are considerably flawed and could actually cause more harm than good. In fact, many experts believe we'd be better off if we'd simply put more effort into enforcing existing laws that prohibit fraud and deceptive business practices. And nearly all knowledgeable parties acknowledge that spyware is a technology problem that requires a technology solution. More...

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID380 by Dave Piscitello  

Most people who read my blog are familiar with the SANS Top 20 Vulnerability list. Trend Micro, Vexira, and in fact, most antivirus companies host lists of the current most prevalent malware. PC Pitstop hosts a similar list of the Top 25 Spyware.

The rankings are derived from results of approximately 50,000 PCs that visit the site to run a signed ActiveX control spyware scanner (signed, how refreshingly unique!).

PC Pitstop acknowledges that their Top 25 rankings are biased. PC users who visit frequently to test for and remove pests based on the scan results will have less spyware than a randomly sampled population (the site apparently doesn't weed out repeat visitors). Still, it's an interesting list.

I ranted earlier this week about informed consent and disclosure. Legislators ought to study PC Pitstop's privacy policy and the excruciating detail they provide regarding cookie use, information collection and use, and "what they do to your PC". They tell you what they do; how they do it and why; how you can review what they do; and give you the opportunity to decline. Legislation doesn't have to be any more complicated than insisting that advertisers be as diligent as PC Pitstop. Well done...

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID379 by Dave Piscitello  

Mitch Wagner, my editor at SecurityPipeline.com, wrote an editorial recently about the fuss adware vendors are making over the fact that their ware is really not spyware. Whether their ware spies or not is quite honestly irrelevant to the vast number of users (and SecurityPipeline readers). Choose any name you wish, adware is unsolicited, unwanted, and intrusive. But, for the sake of a blog entry, let's find an appropriate name.

So far, "scumware" is the most generic, appealing, and accurate label. SearchSMB.com defines scumware as "any programming that gets on your computer from Internet sites without your consent and often without your knowledge. Scumware is a general term that encompasses spyware, adware, annoyware, malware, parasiteware, unwelcome cookies, and various forms of viruses".

This definition works for me and everyone I asked today:-)

Why do the FTC, state and federal legislators insist on trying to narrow the definition of spyware, when most of the affected population would prefer to leave it as broad as possible? Users want to know what is being installed on their computers, and for what purpose, and want the right of informed refusal and consent. And make the default selection "refusal". This is exactly the opposite of what occurs today with all scumware.

You want effective legislation? Focus on informed consent. Force software vendors to a pure "opt-in" model, something that never materialized in postal delivery. Identify what constitutes deceptive and unauthorized use and installation of software. Make it illegal to install software without expressed user approval, and make vendors write intelligible terms of use and scope of application. With legislation of this kind, most folks will make intelligent opt-in decisions when asked whether they want Windows update or WhenU. Which ,of course, is exactly what adware vendors are most fearful of.

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID377 by Dave Piscitello  

David Glosser has written an antispyware open source Perl script that runs on a Windows host under ActivePerl and TieRegistry. The Perl script scans the registries of all the computers of a Windows domain for the existence of Browser Helper Objects (BHOs), a common form of spyware. The host computer must be a member of the domain and have remote access privileges to the registries of the computers in the domain.

Remote BHO Scanner doesn't remove spyware. It does provide a report of BHOs discovered in the domain. This is an interesting tool for administrators who might want to routinely scan for BHO infestations. The reports will probably help admins convince more senior management that spyware is indeed a corporate as well as consumer problem.

David indicates that Bleeding Snort has volunteered to host Remote BHO Scanner. David also indicates that more information can be found at http://www.mgmg-interactive.com/mgmg/malware.html.

I've only toyed with this script thus far, but it's a very interesting and different way to tackle a growing spyware problem.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID363 by Dave Piscitello  

Colleague Scott Pinzon referred me to an excellent post describing one frustrated dad's attempt to trace a spyware infestation back to the folks who make money in this nasty business. Read Follow the Money; or, why does my computer keep getting infested with spyware?

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID357 by Dave Piscitello  

Microsoft began offering free downloads of the beta version of the antispyware software they recently acquired (Giant). I'm a bit late to the review gate, but here's my anecdotal assessment.

The beta only runs on licensed systems. You must run the Microsoft validation agent, which ironically means you must allow ActiveX controls in your IE settings. Frankly, since this is a beta, I question whether Microsoft would have earned more mileage offering the product without qualification. Spyware's a huge problem, and I think they not only missed a major marketing and distribution opportunity but an opportunity to serve the Internet community as well.

Giant had a reputable product before Microsoft acquired it, and while Microsoft may have standardized the look and feel, they seem to have adopted an "ain't broke, don't fix it" approach. The product has the features you should expect from quality antispyware software, and some interesting features I hadn't seen before. Realtime protection monitors dialup, messenger and WiFi activities; changes to Internet safe site lists, winsock lsps, windows services, critical .ini files, as well as shell, scheduler, and TCP/IP changes. Protection from directory trojans, startup, BHO, registry, IE settings, installed component spyware is also present. You can create restore points and schedule full or custom scans.

Microsoft's default security settings are all over the map. Auto-protection against spyware is enabled following installation and reboot. You must run a Setup assistant to enable auto-updates, and you must choose Real-time Security Protection. I would like to see these run by the default.

Memory footprint is modest: two processes, gcasserv.exe and gcasDtserv.exe, are only 12 Megabytes. The UI is clean and intuitive. I like the results reports, which complement the customary threat enumeration, recommended action, and threat level with a sidebar containing the initial paragraphs of a detailed description of any threat detected; an assessment of the risk, and a link for more information.

I configured an infected PC to run a daily autoscan. The initial, full scan of three partitions totalling 20 MB took 20 minutes, about par for other products I've tried (some were faster, others slower).I ran the antispyware beta on a PC with XP SP2 that had been "protected" by the freeware tandem, SpywareGuard and SpywareBlocker for about 2 months. The beta detected two threats (whenusavenow, and the brodcast/DSSagent). This result neither convinces me that Microsoft's product is excellent or that SG and SB are lame, but only reaffirms my conviction that no single antispyware product is up to the task. New spyware seems to be appearing at a pace rivaling spam, not worms, and even Microsoft will have a hard time employing enough software engineers to level the playing field.

Like many antispyware products, Microsoft's beta provides a means for users to upload suspected spyware for analysis. Microsoft offers an opt-out for its Spynet Community. I'm a committed opt-in kinda guy so this annoys me. Probing further, the link to Microsoft's privacy policy regarding Spynet Community explains that Microsoft will explicitly ask for and not disclose personal identifying information to 3rd parties except those who will perform services on Microsoft's behalf (good), but it also indicates that Microsoft will use such information to contact individuals with surveys, product notifications, etc. The policy doesn't identify exactly what information it collects: if only privacy policies from Microsoft were as detailed as its EULA.

Overall, this is a good start for Microsoft. Microsoft claims it intends to provide its customers "with new tools to help protect them from the threat of spyware and other deceptive software" but I am not clear how Microsoft plans to make the tools available. Will this will be a separately priced product, integrated with antivirus (what's the deal there, anyway?) and the Service Pack 2 Security Center?

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID354 by Dave Piscitello  

Spyware is challenging spam and viruses for the top spot on IT worry lists. Spyware poses considerable threats and risks to enterprise networks and remediation and countermeasures are now being regarded as critical to network security. More...

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID350 by Dave Piscitello  

Data Source Object (DSO) exploit is one of the removal-resistant spyware that I've mentioned in several articles. Despite running Spybot Search and Destroy version 1.3, my son's computer was infected by this because he (OK, I) did not have the correct advanced settings. SupportCave has a page that explains how to remove DSO Exploit with a small executable, DSOstop2, and how to set Spybot Search and Destroy correctly deal with this spyware.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID349 by Dave Piscitello  

The average Internet user has difficulty distinguishing viruses from spyware. SecurityPipeline launched a series on spyware with my article by this title. More...

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID346 by Dave Piscitello  

Merijn, author of the highly useful helpware, HijackThis, has written another little pearl called BHOList.

BHOList scans your PC for installed Browser Helper Objects and Toolbars, and distinguishes legitimate BHOs from evil ones. For each BHO it discovers, BHOList identifies the ClassID, filename, owner, and a hyperlink to the software producer.

BHOList also provides a simple frontend utility to a list of Browser Helper Objects and Toolbars maintained by Tony Klein, and will download all the known and categorized BHOs maintained at several antispyware activist sites.

Find BHOList at http://www.spywareinfo.com/~merijn/downloads.html, along with HijackThis and a handful of equally helpful software developed by this remarkable young man from the Netherlands.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID338 by Dave Piscitello  

Kephyr Bazooka is one of the respected free spyware scanners. Using Google sponsored links and carefully contrived META Description and Keyword tags, Vendors of the suspicious XoftSpy spyware remover infringe on and plays off Bazooka's good name and reputation.

I searched "Bazooka spyware" at Google, and the first response to this query is an advertisement page at one of the XoftSpy online shop domains. The page says, "Bazooka spyware scanner just detects spyware and does not remove it. An excellent alternative is ..."

Like most deceptive advertising, there is a half-truth here. Bazooka is indeed only a scanner. But this doesn't mean that Xoftspy is a better scanner. Of course this page doesn't claim that Xoftspy is a better scanner.

Manipulating search query replies is something I expect from porn sites, not security companies. All the genuinely useful work Kephyr Labs invested in Bazooka scanner is undermined by misleading META tagging on a commercial product's page. For the record, the META tags on the offending page are:

META NAME ="description" CONTENT="Bazooka is a spyware and adware scanner that detects spyware and adware on your system. It does not remove it. XoftSpy both detects and removes spyware and adware."

META NAME ="keywords" CONTENT="bazooka spyware, killer,destroyer,remover,eliminator,eraser"

I'm singling out XoftSpy here, but at least a half-dozen other companies pull this same nonsense with Bazooka, AdAware, and SpyBot Search and Destroy.

PLEASE don't support these folks. The degree to which they undermine the trust we place in search engines is a source of embarrassment for the entire security community.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID336 by Dave Piscitello  

You think viruses, worms, blended threats and spam are bad? Spyware is worse. More...

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID335 by Dave Piscitello  

One sure way to avoid identity theft is to resist clicking on hyperlinks embedded in potential phishing email addresses you receive. Now, even that "best practice" appears to be in question. Liberty Identity Theft Services and others report a no-click (zero-click) phishing attack, where simply opening an email message is enough to cause a malicious script to be executed.

The attack makes use of "preview windows" in email clients - yes, that convenient little window pane that shows you part of an email just became a window *pain*.

The script combines spyware and phishing techniques. From the spyware toolkit, the script employs browser hijacking: it modifies bookmarks (favorites) and redirects users to a spoofed web site. The site where the user is redirected is your basic phishing web site, i.e., one that presents what appears to be a legitimate request for personal, account and credit credit card information. (If you're unfamiliar with phishing in general, and what a phishing web site look like, read Anatomy of a Phishing Expedition.)

This attack might seem a bit more subtle than typical browser hijacks - users might not visit the modified bookmark and so may be unaware of the change - but phishing web sites don't remain online very long, so there's still a small window of opportunity. If you are running anti-spyware software such as SpywareGuard, you should be protected against browser hijacking. If you don't have browser hijack protection, you might try disabling the email preview feature on your email client. I suggest you consider one of the anti-spyware solutions I recommend here.

What a pane... er... pain.

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID328 by Dave Piscitello  

During an NGN 2004 Boston session, Antispam: analyzing the alternatives, Paul Judge of CipherTrust offered an intriguingly simply root cause analysis of why spammers are motivated to spam:

"That’s where the money is..." More...

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID325 by Dave Piscitello  

I was asked by Watchguard Wire to comment on the deceptive marketing practices certain "anti spyware" products employ to increase sales. As part of accumulating resources for my Spyware Resources page, I've installed and tested more than a dozen purported anti-spyware packages to find which are most effective. The deceptive practices of more than a few "anti" spyware vendors are pretty ugly. Read my full commentary at Watchguard Wire.

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID313 by Dave Piscitello  

Every network client must have antivirus software. We've been told so for years, and the message is finally sinking in. Network admission and integrity control are poised to enforce it today in enterrprise networks and hopefully soon for public Internet access as well. Concern over spyware is increasing so rapidly that I fully expect that antispyware, too, will be a prerequisite for network logon. The problem I foresee is that, if we instrument poorly, network admission will end up like the queues at customs and immigration services: long, slow, tedious, and frustrating. More...

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID309 by Dave Piscitello  

CoolWebSearch is one of the more insidious and treacherous browser hijacking nuisance-ware you will ever have the misfortune to experience. The miscreants behind this crudware have created a truly nasty beast. PestPatrol's Spyware Encyclopedia identifies over 70 CWS variants. They are resistant to detection and removal, and while present, they turn your "web experience" into a visit to hell.

The CoolWebSearch Chronicles offers a fascinating chronology of CWS through April 2004 (39 variants). It's an entertaining and valuable read for anyone who is trying to understand spyware.

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID310 by Dave Piscitello  

My Loop columns on phishing and spoof email are frequently visited. I've replied individually to enough emails about phishing to conclude I really ought to pull my resources together and make them available online. Visit phishing resources.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID300 by Dave Piscitello  

You think viruses, worms, blended threats and spam are bad? Spyware is worse...

Spyware is software - a program file, a browser helper object, or a dynamic link library, for example - installed on your computer, without your knowledge and permission. Sometimes called adware, nastyware, crapware, scumware, and worse, it's all aggravating, and intrusive. It's enough to turn pacifists into violent activists. In some respects, spyware evokes the same kinds of emotional reactions as a Republican National Convention.

I've been investigating spyware for a series of articles I wrote for Watchguard and Loop. Much of the spyware out there is unsolicited advertising: marketing invertebrates monitor your web browsing and direct advertising to you based on the sites you've visited. The former is annoying and maybe embarrassing: you can't begin to imagine what that one innocent visit to hotgirlsofcleveland.com does to your Internet experience.

I mention in all my articles that adware "data mining" also poses a privacy issue to individuals and a vector for sensitive information disclosure for businesses.

Then there's the "And you thought it was YOUR PC" problem. Beyond relentless advertising, spyware and adware often hijack a computer browser, driving users to alternative search sites, or even to competitors of e-merchant sites users are trying to visit. My son's PC was infected with a particularly nasty, blended threat of a spyware/adware package. It seized his browser and hosed his Google toolbar. It took any search he attempted and redirected him to some deceptive practices search site. It also warned him that he had spyware (how kind), and invited him to use Spyware Stormer (which is a rogue antispyware, BTW).

I also explain how spyware can be as malicious as trojans incorporated into a blended threat attack. Keyloggers may be installed as part of the package. Spyware may turn ugly on you. Try to remove it, and spyware may self-destruct and leave your Registry, browser configuration, and DLLs damaged beyond recovery. My son learned a "life lesson" last week, when we reinstalled Win2K Pro on his PC. That life lesson happens to include "Play with P2P, die with P2P"...

Antispyware appears to be abundant. but I'm sorry to say that deceptive practices and crapware taint the antispyware product market. Rogue spyware may offer free scans, but many produce long lists of false positives to frighten you into purchasing the product. Others, as I mentioned above, blast you with popups and other forms of unsolicited and misleading advertising: isn't this what you're trying to eliminate?

I've created a spyware resources page here. Please use it! You'll find dozens of articles explaining spyware and recommending removal and protection strategies. You'll find my personal recommendations for combating spyware here as well.

This page is an active work in progress. I welcome you to comment here or at Loop and contribute to the list of resources I've begun.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID299 by Dave Piscitello  

Mich Kabay posted a helpful column for people interested in understanding how to recognize phishing. Catching Phish describes a recent phishing scam, and is a nice compliment to my columns at LOOP, Recognizing and responding to spoof email messages and Anatomy of a phishing expedition.

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID287 by Dave Piscitello  

I've seen a definite drop in the spam delivered to my email accounts. Over the past two weeks, my Postini service has blocked 98.3% of spam, approximately 30 per day. I last spot-checked my spam filter efficacy by sampling April 3 through 16. At the time, Postini correctly detected and blocked 4858 spam email, which is well over 300 per day! What accounts for the order of magnitude decrease?

At the same time, I'm getting many more email messages with viruses attached: approximately 10 per day are blocked by my ISPs antivirus gateway, but I've also received and blocked about 2-3 per day at my desktop.

How do these compare with your spam and worm figures?

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID278 by Dave Piscitello  

Everyone who hates spam has to be delighted over the conviction and sentencing of Howard Carmack, the Buffalo Spammer. An Erie County, NY judge sentenced this low-life to 3.5-7 years for identity theft. How do I know he's a low-life? Well, the judge whacked him with a maximum sentence because he had prior felony convictions (fraud, money order forgery). Howard will keep busy in prison working to pay part of the $16 million judgment awarded to Earthlink in an earlier civil suit.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID273 by Dave Piscitello